Swallow This

12:02 PM -- The pre-Black Hat run-up this year -- and there's always some sort of media run-up -- centers around researcher Joanna Rutkowska's claim from last year's Black Hat that it's possible to build an undetectable virtual machine rootkit. Her approach to doing this, which she calls Blue Pill, was demonstrated live to a fair bit of hoopla and it has to be said, was pretty impressive work.

The question, though, isn't whether Blue Pill is impressive. The question is whether it's impossible to detect well-constructed virtual machine hypervisor rootkits. In other words, can you reliably have software that detects that it's running under a hypervisor, rather than on a bare machine.

Three researchers with good pedigrees have issued what appears to be a simple challenge. (See Hacker Smackdown.) Thomas Ptacek, co-founder of Matasano Security, Root Labs's researcher Nate Lawson, and Symantec's senior researcher Peter Ferrie want to provide two laptops. Rutkowska would secretly infect one, then the threesome's detection software is run on the two machines. If the detection software can't catch Rutkowska's infection, then she keeps either laptop.

She's willing to take up the challenge -- sort of. She wants a couple rule changes. As far as I can tell, these seem reasonable, and the challengers have agreed to them. But she also wants somebody to fund her work, to the tune of several hundred thousand dollars.

I have tremendous respect for Rutkowska's technical skills, but I think she missed a beat on the business side of things here. She makes a rather difficult-to-prove claim, gains notoriety for it, and then wants someone else to fork over around four hundred grand so she can prove she wasn't just blowing smoke? Better, I think, simply to concede that she's not in a position to deliver this undetectable version of Blue Pill right now.

Meanwhile, rather than paying Joanna for several months of work that might not pan out, maybe someone would like to back the three challengers with a much bigger prize. Perhaps bankroll the contest so that whoever can get a VM rootkit past the detector that Ptacek, Lawson, and Ferrie have written on a consistent basis (five out of five rounds, say) gets $200,000. Anyone ready to pony up?

— Robert Richardson thinks he is director of the Computer Security Institute Computer Security Institute (CSI) , but unbeknownst to him, he is controlled by powers just out of sight over the horizon. Special to Dark Reading.